The U.S. version of the Metro International website is serving up malicious code, according to a blog post by the researchers at Websense Security Labs who detected the compromise.
Metro publishes daily newspapers that are distributed in areas where the number of commuters is high or in the public transport system — U.S. markets are New York, Boston and Philadelphia.
Visitors to the main metro.us web page, which has more than one million visitors monthly and where Websense found injected code in several locations, are redirected to metro.us/new York/, a page injected with a malicious iFrame.
The malware sends users to websites hosting a heavily obfuscated Rig Exploit Kit (used in the past to distribute ransomware like CryptoWall), which drops a malicious executable on a victim’s computer. Websense has alerted the Metro IT team and says the media company is investigating.